A threat actor has been spotted targeting Industrial Control Systems (ICS) to create a botnet network. The attacker is doing so by promoting password-cracking software for PLCs and HMIs via multiple social media accounts.

What's happening in the campaign?

The campaign offers to unlock PLC and HMI terminals from Automation Direct, Siemens, Fuji Electric, Mitsubishi, Weintek, ABB, and more.
  • Researchers at Dragos have examined one specific incident affecting DirectLogic PLCs from Automation Direct, in which the infected software—not a crack—abused a known vulnerability in the device to steal the password.
  • The exploit (CVE-2022-2003) used by the malicious program was only limited to serial-only communications. This requires a direct serial connection from an Engineering Workstation (EWS) to the PLC.
  • In the background, the tool drops a malware that creates a peer-to-peer botnet for different tasks, named Sality.

Let's talk about Sality

Sality is an old malware that requires a distributed computing architecture to complete tasks, such as cryptomining and password cracking, faster. While it is still evolving, its features include ending running processes, downloading additional payloads, establishing connections to remote sites, and stealing data from the host.
  • The malware injects itself inside running processes and targets Windows autorun function to copy itself onto external drives, removable storage devices, and network shares to spread further.
  • The identified sample was found to focus on stealing cryptocurrency as well. It hijacks the contents in the clipboard to redirect cryptocurrency transactions.

Ending notes

The campaign is still active and the admins of PLC should be aware of such threats. For protection, operational technology engineers are recommended not to use any password cracking tools. Instead, experts suggest reaching out to the device vendor for additional guidance and instructions in case there is a genuine need to crack some password.
Cyware Publisher